CN109981666A - A kind of cut-in method, access system and access server - Google Patents
A kind of cut-in method, access system and access server Download PDFInfo
- Publication number
- CN109981666A CN109981666A CN201910257945.4A CN201910257945A CN109981666A CN 109981666 A CN109981666 A CN 109981666A CN 201910257945 A CN201910257945 A CN 201910257945A CN 109981666 A CN109981666 A CN 109981666A
- Authority
- CN
- China
- Prior art keywords
- access side
- access
- user data
- data
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
A kind of cut-in method and system are applied to access side, this method comprises: after receiving access request by the first application, it is selected by access side according to user's operation, it is applied from first and is redirected to the login interface by access side;User data ciphertext is received from by access side by the first application;Target user data and the first verification data are obtained from the user data ciphertext based on access side's private key, the first verification data are verified using by access side's public key, login of the user to the first application is completed after verification passes through.Cut-in method and system through the embodiment of the present invention can realize the bi-directional verification of user data transmission using the verification and encrypted transmission for being carried out user data by the public and private key of access side, so as to effectively guarantee the transmission safety of user data.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of cut-in method, access system and access server.
Background technique
Today of high speed development in internet, how rapid deployment is online for business, shorten the period and reduce cost at
The target pursued for software company.Almost all of internet works software is directed to account system, and account system establishes one
As have self-built account system and access third party's account system both strategy.The advantages of self-built account system, is that user is certainly
Oneself, disadvantage is that user's accumulation is slow, causes business development speed slow.On the contrary, the advantages of access third party's account system, is
Development cycle is short, and general third party system is account system that is more famous, possessing a large amount of any active ues, it is thus possible to is conducive to
Promoting service and fast development, but disadvantage be user in a certain sense for be not oneself.
Well-known third party's account system is relied on to be more advantageous to oneself industry in the early stage of development, when the software of oneself is less famous
The development of business, such as the product of many software companys can select the account systems such as access QQ.A software is developed to need using another
The data resource that user generates in one software is at this time also required in the account for using system access another system
The heart.
If it is determined that access third party's account system, then safely, quickly access and will become crucial consideration factor.
Summary of the invention
The present invention provides a kind of cut-in method, access system and access server, can guarantee to use in a manner of convenient and fast
The safety of user data transmission.
Thus, on the one hand, the embodiment of the present application provides a kind of cut-in method, is applied to access side, this method comprises: logical
It crosses after the first application receives access request, it is selected by access side according to user's operation, it is applied from first and is redirected to institute
It states by the login interface of access side, so that user inputs user login information in the login interface by access side;Pass through
One application receives user data ciphertext from by access side, and the user data ciphertext is to be tested by the side of access to user login information
After card passes through, based on engagement arithmetic and using being handled by access side's private key target user data to obtain the first verification data
And target user data and the first verification data are encrypted;Based on access side's private key from the user data ciphertext
Target user data and the first verification data are obtained, the first verification data are verified using by access side's public key, are being verified
Login by rear completion user to the first application.
Optionally, the first verification data are digital signature, then use and carry out school to the first verification data by access side's public key
It tests, comprising: based on target user data and use verifies data to first by access side's public key and carries out sign test.
Optionally, the first verification data are digital signature, then use and carry out school to the first verification data by access side's public key
It tests, comprising: predetermined portions and use based on target user data carry out sign test to the first verification data by access side's public key.
Optionally, target user data and the first check number are obtained from the user data ciphertext based on access side's private key
According to, comprising: the user data ciphertext is decrypted to obtain target user data and the first check number using access side's private key
According to.
Optionally, the user data ciphertext includes the first ciphertext and the second ciphertext, wherein is based on access side's private key from institute
State user data ciphertext obtain target user data and first verification data, comprising: using access side's private key to the second ciphertext into
Row decryption obtains random key;The first ciphertext is decrypted using random key to obtain target user data and the first verification data.
Optionally, target user data is as obtained from assembling to following data: access side is by access side
Unique application identities and the unique subscriber identification by being distributed to user to access side by access policy;Or unique application mark
Know, unique subscriber identification and User Data Protocol version, operation information code, at least one in timestamp these three data
Kind.
Optionally, the redirection interface IP address for being used to receive user data ciphertext is sent to described by access side.
Optionally, login of the user to the first application is completed after verification passes through, comprising: generate only in access side for user
One mark, by target user data storage corresponding with the unique identification.
On the other hand, the embodiment of the present application provides a kind of access system, including server-side and is mounted on terminal device
First application, in which: the first application includes: user interface, is configured to receive access request, and selected according to user's operation
By access side, be redirected to the login interface by access side from the first application, so as to user described by access side
Login interface inputs user login information;Interface is redirected, is configured to receive user data ciphertext, the use from by access side
User data ciphertext is by the side of access after being verified to user login information, and based on engagement arithmetic and use is by access side's private key
Target user data is handled to obtain the first verification data and target user data and the first verification data are encrypted
It obtains;Server-side includes: communication unit, is configured to receive user data ciphertext from the first application;Processing unit, configuration
To obtain target user data and the first verification data from the user data ciphertext based on access side's private key, using by access side
Public key verifies the first verification data, and login of the user to the first application is completed after verification passes through.
On the other hand, the embodiment of the invention provides a kind of access systems, including are serviced by access side's server, access side
Device and the first application for being mounted on terminal device.Wherein, the first application includes: user interface, is configured to receive access request,
And it is selected by access side according to user's operation, it is redirected to the login interface by access side from the first application, so as to
User inputs user login information in the login interface by access side;Interface is redirected, is configured to connect from by access side
Receive user data ciphertext.Described by access side's server includes: the first communication unit, is configured to receive the user and logs in letter
Breath, and send the user data ciphertext;First processing units are configured to verify the user login information, and
After being verified, based on engagement arithmetic and using being handled by access side's private key target user data to obtain the first verification
Data, and target user data and the first verification data are encrypted to obtain the user data ciphertext.Access side's clothes
Business device includes: the second communication unit, is configured to receive user data ciphertext from the first application;The second processing unit, configuration
To obtain target user data and the first verification data from the user data ciphertext based on access side's private key, using by access side
Public key verifies the first verification data, and login of the user to the first application is completed after verification passes through.
In another aspect, the embodiment of the invention provides a kind of access servers comprising processor, the processor configuration
To run method of the scheduled computer instruction to execute any of the above embodiment.
User data transmission method and device through the embodiment of the present invention can be carried out using by the public and private key of access side
The verification and encrypted transmission of user data, realize the bi-directional verification of user data transmission, so as to effectively guarantee user
The transmission safety of data.
Detailed description of the invention
Fig. 1 is the schematic flow chart of one embodiment of cut-in method of the invention.
Fig. 2 is the schematic flow chart of another embodiment of cut-in method of the invention.
Fig. 3 is the schematic flow chart of another embodiment of cut-in method of the invention.
Fig. 4 is the schematic flow chart of another embodiment of cut-in method of the invention.
Fig. 5 is the schematic flow chart of another embodiment of cut-in method of the invention.
Fig. 6 is the schematic block diagram of access system one embodiment of the invention.
Fig. 7 A is the schematic block diagram of another embodiment of access system of the invention.
Fig. 7 B is the schematic flow chart of another embodiment of cut-in method of the invention.
Fig. 7 C is the schematic flow chart of another embodiment of cut-in method of the invention.
Specific embodiment
In the following, being described in detail in conjunction with specific embodiment of the attached drawing to the application, but not as the restriction of the application.
It should be understood that disclosed embodiments can be made with various modifications.Therefore, following description should not regard
To limit, and only as the example of embodiment.Those skilled in the art will expect within the scope and spirit of this
Other modifications.
The attached drawing being included in the description and forms part of the description shows embodiment of the disclosure, and with it is upper
What face provided is used to explain the disclosure together to substantially description and the detailed description given below to embodiment of the disclosure
Principle.By the description of the preferred form with reference to the accompanying drawings to the embodiment for being given as non-limiting example, the application's
These and other characteristic will become apparent.
The specific embodiment of the disclosure is described hereinafter with reference to attached drawing;It will be appreciated, however, that the disclosed embodiments are only
Various ways implementation can be used in the example of the disclosure.Known and/or duplicate function and structure and be not described in detail to avoid
Unnecessary or extra details makes the disclosure smudgy.Therefore, specific structural and functionality disclosed herein is thin
Section is not intended to restrictions, but as just the basis of claim and representative basis be used to instructing those skilled in the art with
Substantially any appropriate detailed construction diversely uses the disclosure.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment
In " or " in other embodiments ", it can be referred to one or more of the identical or different embodiment according to the disclosure.
In the following, the embodiment of the present application is described in detail in conjunction with attached drawing.
Fig. 1 is the schematic flow chart of one embodiment of cut-in method of the invention.The access side of the embodiment of the present invention
Method is applied to access side.As shown in Figure 1, the cut-in method of the embodiment of the present invention includes:
S11: it is selected by access side according to user's operation after receiving access request by the first application, from first
Using being redirected to by the login interface of access side, so that user logs in letter by the login interface input user of access side described
Breath;
S12: user data ciphertext is received from by access side by the first application, user data ciphertext is by the side of access right
After user login information is verified, based on engagement arithmetic and use handle to target user data by access side's private key
It is encrypted to the first verification data and to target user data and the first verification data;
S13: target user data and the first verification data are obtained from user data ciphertext based on access side's private key, use quilt
Access side's public key verifies the first verification data, and login of the user to the first application is completed after verification passes through.
Specifically, in an embodiment of the present invention, what the first application can be that access side develops is used to provide a user to answer
With the stand-alone utility of service, the browser being also possible on terminal device, user can access access side by browser
Website and logged in.It can be second application different from the first application, redirection process by the login interface of access side
Such as the second application is jumped to from the first application on the subscriber terminal.Browser etc. is also possible to by the login interface of access side.
It can be the owning side of user data by access side, access can be with the user for user data.It is specific real as one
Apply example, access side for example can be a server, another server can be by access side, the two by different operators into
Row operation.As another specific embodiment, access side for example may include the application and application of installation on the subscriber terminal
Server, this application connect with the application server of access side, by accessed can with for another server and with access side into
Row communication.
Access side receives access request from user by the first application, such as user needs to log on to the first application to use
When the concrete function service of the first application, access request is issued by the user interface of the first application of operation.At this moment, the first application
User interface on can prompt whether to select with the login of third party's account, such as multiple thirds are shown in the form of multiple icons
When square service provider, user can click one of icon to select by access side.It operates according to the user's choice, access side
It can be redirected to the login interface by access side that user choose from the first application, so that user is in the login by access side
Interface inputs user in the log-on message of the user account by access side.
After user completes the input and submission of log-on message, is received the log-on message and verified by access side, such as test
Card passes through, and shows that the user is and to be shown to log in first by access side above by login by the registration user of access side
The request of application is that the user submits, then carries out the first application that target user data is transferred to access side by access side
Processing.
Before transmitting user data, access side needs pre-generated a pair of public and private key, by public key therein submit to by
Access side;Pre-generated a pair of public and private key is also required to by access side, and generates or distribute a unique identification for access side, to
Which access side's request expression is using user data, and the public key and unique identification are submitted to the access side.
Target user data to be transmitted may include access side in the unique identification and user information number located by the side of access
According to.When access side includes first in application, the unique identification can be unique application identities, such as AppId.User information data example
It such as may include user in the unique identification located by the side of access, which can believe with user in the login located by the side of access
The associated storages such as breath, digital resource, personal information information.For example, in the case where being third party login server by access side,
After access side obtains user information data, each user is by logging in by access side come when logging in access side, access side can lead to
User information data of the verification from being sent by the side of access are crossed to determine that user has already been through by the login authentication of access side, thus
So that user enters logging state in access side.
In embodiments of the present invention, when needing to access side transmission objectives user data, by access side based on arranging calculation
Method is simultaneously handled to obtain the first verification data to target user data using by access side's private key, and to target user data and
First verification data, which are encrypted to obtain user data ciphertext, is sent to access side.User data ciphertext is received from by access side
Afterwards, access side decrypts user data ciphertext to obtain target user data and the first verification data using the private key of itself, uses
The first verification data are verified by access side's public key.Here, the first verification data are carried out for the side of access to by access side
Verifying, because access side, which only uses, correctly could be verified the first verification data by access side's public key.And
The first verification data and target user data are encrypted together by access side and obtains ciphertext and is sent to access side, this is in order to right
Access side is verified, because only that private key needed for specifically ciphertext decrypting process is held in access just now, it could be from ciphertext
Obtain target user data and the first verification data.In this way, realizing access side and by the bi-directional verification between access side.
Complete access side and by the bi-directional verification between access side after, access side confirm from received by access side
Target user data be valid data, target user data is stored, and make user enter pass through first apply
Log on to the state of access side.
Cut-in method through the embodiment of the present invention can utilize the verification that user data is carried out by the public and private key of access side
And encrypted transmission, the bi-directional verification of user data transmission is realized, so as to effectively guarantee the transmission safety of user data.
When the scheme of the embodiment of the present invention is applied to third party login, even if criminal has intercepted and captured user data, due to them
There is no the private key of access side, the clear data for obtaining user data can not be decrypted, and user data can not also be usurped
Change or counterfeit, to efficiently avoid utilization of the criminal to " hidden redirection " loophole.
Fig. 2 is the schematic flow chart of another embodiment of cut-in method of the invention.As shown in Fig. 2, the present invention is implemented
The cut-in method of example includes the following steps:
S21: it is selected by access side according to user's operation after receiving access request by the first application, from first
Using the login interface by access side is redirected to, so that user is stepped on described by the login interface input user of access side
Record information.
S22: user data ciphertext is received from by access side by the first application.
S23: the user data ciphertext is decrypted to obtain target user data and the first school using access side's private key
Test data.
S24: based on target user data and use verifies the first verification data by access side's public key.
In an embodiment of the present invention, by access side when generating user data ciphertext, the number label of agreement can be used
Name algorithm is digitally signed processing to target user data and obtains the first digital signature as the first verification data.The number of agreement
Word signature algorithm can be arbitrary, such as DSA signature algorithm or RSA signature algorithm etc..Then by access side to target user
Data and the first digital signature are sent to access side after being encrypted, for example, by access side can be used access side public key or its
He arranges key to be sent to access side after encrypting to target user data and the first digital signature, wherein agreement key can
To be symmetric key that both sides negotiate in advance.After access side receives user data ciphertext, can based on access side's private key or its
He arranges key and obtains target user data and the first digital signature from data ciphertext, so that the side of access can be based on target user
Data and use carry out sign test to the first digital signature by access side's public key and recognize if passed through to the first digital signature authentication
It is trust data for target user data and is stored, is either imitated otherwise it is assumed that target user data has illegally been distorted
Data are emitted, the target user data is abandoned.
Fig. 3 is the schematic flow chart of another embodiment of cut-in method of the invention.As shown in figure 3, the present invention is implemented
The cut-in method of example includes the following steps:
S31: it is selected by access side according to user's operation after receiving access request by the first application, from first
Using the login interface by access side is redirected to, so that user is stepped on described by the login interface input user of access side
Record information.
S32: user data ciphertext is received from by access side by the first application.
S33: ciphertext is decrypted using access side's private key to obtain target user data and the first verification data.
S34: the predetermined portions based on target user data simultaneously test the first verification data using by access side's public key
Label.
In an embodiment of the present invention, by access side when generating user data ciphertext, the number label of agreement can be used
Name algorithm is digitally signed processing to the predetermined portions of target user data and obtains the first digital signature as the first check number
According to.The Digital Signature Algorithm of agreement can be arbitrary, such as DSA signature algorithm or RSA signature algorithm etc..Then by access side
It is sent to access side after encrypting to target user data and the first digital signature, such as access side can be used by access side
Public key or other agreement keys be sent to access side after encrypting to target user data and the first digital signature.Access
After side obtains user data ciphertext, target user data and the first verification data, base are obtained from ciphertext based on access side's private key
In target user data predetermined portions and use by access side's public key to first verification data carry out sign test, if the verification passes
Then think that the obtained target user data of decryption is legal and is stored, otherwise abandons the target user data that decryption obtains.
Fig. 4 is the schematic flow chart of another embodiment of cut-in method of the invention.As shown in figure 4, the present invention is implemented
The cut-in method of example includes the following steps:
S41: it is selected by access side according to user's operation after receiving access request by the first application, from first
Using the login interface by access side is redirected to, so that user is stepped on described by the login interface input user of access side
Record information.
S42: by first application from by access side receive user data ciphertext, user data ciphertext including the first ciphertext with
Second ciphertext.
S43: the second ciphertext is decrypted to obtain random key using access side's private key.
S44: the first ciphertext is decrypted using random key to obtain target user data and the first verification data
S45: based on target user data and use verifies the first verification data by access side's public key.
In an embodiment of the present invention, target user data is handled to obtain by access side's private key by the use of access side
After first verification data, it is close that encryption generation first first is carried out to target user data and the first verification data using random key
Text, then encryption is carried out to random key with access side's public key and generates the second ciphertext, by the use including the first ciphertext and the second ciphertext
User data ciphertext is sent to access side.Random key can be arbitrary, such as the pseudo-random key generated by machine.The present invention
In embodiment, using random key target user data and the first verification data are encrypted to obtain first by access side close
Text can be arbitrary, such as be can be and encrypted as a whole to target user data and the first verification data, can also be to it
One of or part encrypted, then encrypted again to whole.Further, it is also possible to be verified to target user data and first
The predetermined portions of data are repeatedly encrypted.In the embodiment of the present invention, random key encrypt using access side's public key
To the second ciphertext, it is also possible to arbitrary mode, for example, utilization access side's public key encrypts random key, can be utilization and connect
The side's of entering public key carries out Partial encryption to random key, whole encryptions can also be carried out to random key, or can be to random
The encryption of key progress pre-determined number.
In embodiments of the present invention, after the first ciphertext and the second ciphertext being assembled by predetermined format by access side
It is sent to access side, the first ciphertext and the second ciphertext can therefrom be extracted according to predetermined format by obtaining the side of access, thus using connecing
The private key for the side of entering decrypts the second ciphertext to obtain random key, and then decrypts to obtain target user to the first ciphertext with random key
Data and the first verification data, then verify the first verification data.The first verification data are generated according to by access side
Concrete mode, checking procedure are specifically as follows, and based on target user data and use by access side's public key verifies data to first
Carry out sign test.
Fig. 5 is the schematic flow chart of another embodiment of cut-in method of the invention.As shown in figure 5, the present invention is implemented
The cut-in method of example includes the following steps:
S51: it is selected by access side according to user's operation after receiving access request by the first application, from first
Using the login interface by access side is redirected to, so that user is stepped on described by the login interface input user of access side
Record letter
S52: user data ciphertext is received from by access side by the first application.
S53: the second ciphertext is decrypted to obtain random key using access side's private key;
S54: the first ciphertext is decrypted using random key to obtain target user data and the first verification data.
S55: the predetermined portions based on target user data simultaneously test the first verification data using by access side's public key
Label.
S56: generating unique identification in access side for user, by target user data storage corresponding with the unique identification.
In an embodiment of the present invention, the predetermined portions of target user data are all arbitary conventions, in one embodiment
In, predetermined portions and its number can be subjected to different association, such as specifically, by the various pieces of target user data into
Line renumbering.Access side obtain include the first ciphertext and the second ciphertext user data ciphertext after, based on access side's private key from
Random key is obtained in second ciphertext, the first ciphertext is decrypted using random key to obtain target user data and the first check number
According to predetermined portions and use based on target user data carry out sign test to the first verification data by access side's public key, if tested
Card is legal by then thinking the obtained target user data of decryption, is user in access side generation unique identification with by target user
Data storage corresponding with the unique identification, otherwise abandons the target user data that decryption obtains.
In embodiments of the present invention, target user data can be as obtained from assembling to multiple data.Example
Such as, by access side can by will access side by unique application identities of access side and by by access policy to access Fang Erfen
The unique subscriber identification of provisioned user, which is assembled, obtains target user data.In addition, in addition to mark in target user data
Except can also include other users relevant information, such as User Data Protocol version, operation information code, timestamp in extremely
A kind of few information.
In embodiments of the present invention, access side be with will can also being used to receive the redirection interface of user data ciphertext in advance
Location is sent to from application server by access side by the first application or directly, thus close in generation user data by access side
It can be sent directly to redirect interface IP address after text.
Fig. 6 is the schematic block diagram of access system one embodiment of the invention.As shown in fig. 6, the embodiment of the present invention
Access system includes server-side 61 and is mounted on the first of terminal device 62 using 620.
First application 620 includes user interface 621 and redirects interface 622, and wherein user interface 621 is configured to receive and visit
It asks request, and selected by access side according to user's operation, is redirected to from the first application by the login interface of access side, with
Just user inputs user login information in the login interface by access side;Interface 622 is redirected to be configured to from by access side
User data ciphertext is received, user data ciphertext is to calculate by the side of access after being verified to user login information based on agreement
Method and using handled to obtain the first verification data to target user data by access side's private key and to target user data and
What the first verification data were encrypted.
Server-side 61 includes communication unit 611 and processing unit 612, and wherein communication unit 611 is configured to from the first application
Receive user data ciphertext;Processing unit 612 is configured to the side's of access private key and obtains target user's number from user data ciphertext
Data are verified according to first, the first verification data are verified using by access side's public key, complete user after verification passes through
Login to the first application.
In an embodiment of the present invention, the operation and configuration of each unit of access system are corresponding with above-mentioned cut-in method.
Access system through the embodiment of the present invention can utilize the verification that user data is carried out by the public and private key of access side
And encrypted transmission, the bi-directional verification of user data transmission is realized, so as to effectively guarantee the transmission safety of user data.
When the scheme of the embodiment of the present invention is applied to third party login, even if criminal has intercepted and captured user data, due to them
There is no the private key of access side, the clear data for obtaining user data can not be decrypted, and user data can not also be usurped
Change or counterfeit, to efficiently avoid utilization of the criminal to " hidden redirection " loophole.
Fig. 7 A is the schematic block diagram of another embodiment of access system of the invention.
As shown in Figure 7 A, access system of the invention includes by the side's of access server 71, access side's server 72 and installation
First in terminal device 73 applies 730.
First application 730 includes user interface 731 and redirection interface 732.Wherein user interface 731 is configured to receive and visit
It asks request, and selected by access side according to user's operation, is redirected to from the first application by the login interface of access side, with
Just user is inputting user login information by the login interface of access side;Interface 732 is redirected, is configured to connect from by access side
Receive user data ciphertext.
It include the first communication unit 711 and first processing units 712 by access side's server 71.Wherein, the first communication unit
Member 711 is configured to receive user login information, and sends user data ciphertext;First processing units 712, are configured to user
Log-on message is verified, and after being verified, and is based on engagement arithmetic and use by access side's private key to target user data
It is handled to obtain the first verification data, and target user data and the first verification data is encrypted to obtain user data close
Text.
Access side's server 72 includes the second communication unit 721 and the second processing unit 722.Wherein, the second communication unit
721 are configured to receive user data ciphertext from the first application;The second processing unit 722 is configured to the side's of access private key from user
Data ciphertext obtains target user data and the first verification data, carries out school to the first verification data using by access side's public key
It tests, login of the user to the first application is completed after verification passes through.
The access system of the embodiment of the present invention is specifically carried out as follows operation:
One, initialization data (Fig. 7 B) when being accessed with lower interface for access side, the initialization of access side need to be provided by access side
Data call:
1, a unique mark AppID is generated to access side;
2, the public key upload that access Fang Jiang can be allowed to represent access side's identity is stored in by access method, system;
3, it is generated and is represented by the public and private key of access side's identity by access side, public key is returned into access side, private key is stored in
In system;
4, it can save after being passed through by the subscriber authentication of access side, with returning to the interface of access side by user information
Location;
5, it is stored in t_accessParty table by the information that access side and access side generate;
Two, access side needs to provide the data of interface storing initial, as follows: for by the account center of access side distribution one
A id, mark be access which account number center, and by the public key got in the step 3 in step 1, oneself private key,
AppId is stored in t_userCenter table;The step complete after, access side and by between access method, system calling have following step
Suddenly (Fig. 7 C):
1, user passes through terminal device (can be browser terminal equipment, be also possible to the terminal device that the side of access develops)
Access access side online service (if supporting the access of multi-user center, need to allow user to select which account center used,
Such as Tencent QQ account or Sina weibo account);
2, it is its AppId that account center options on interface is corresponding, accesses the parameters such as AppId on method, system band,
It is redirected to and user login validation is carried out by access side's custom system;
3, (certain user can also in this process inputting correct account information by the system login page of access side by user
It is logged in cancelling);
4, it after being passed through by the system verifying account information of access side, is obtained from t_accessParty table by parameter AppId
The public key and the private key assembling user data package of oneself for taking the corresponding access side the AppId, it should be noted that here it is the users
Distribution one writes in UserInfo for the unique Customs Assigned Number of the connector, if this user is again by access side
System logs in, and still using being identically numbered, does not regenerate, it is therefore desirable to which the Customs Assigned Number of distribution is stored in the storage of oneself
In the t_accessPartyUserIdMapping table of service, login authentication first determines whether the user either with or without for this after passing through
The unique number of access side has direct use, is put in storage and saves after not generating.Assembled data packet is sent to the offer of access side
User data redirect interface.
5, after terminal device gets user data, data are submitted to the server-side of access side;
6, after access side's service end system receives data packet, by unpacking to obtain data defined in agreement, wherein
What is stored in UserInfo is the unique number for being accessed the login user that policy provides the access side, access side's server-side weight
A newly-generated unique number, which is corresponding to it, to be stored, and is stored in t_userInfo table, if the user in table,
It is not just inserted into, completes login of the user in access method, system to this.The reason of regenerating is, when more account centers are accessed
When, the Customs Assigned Number that the different accounts of access side are distributed at the account center of different manufacturers is possible to repeat.What it is in access side is
This login user is identified using the Customs Assigned Number regenerated in system.
Being described in module involved in the embodiment of the present application can be realized by way of hardware shown in fig. 6,
It can be realized by way of software.For example, in another embodiment of access system of the invention, applied to access side
Access system may include processor and memory, and memory is configurable to store scheduled computer instruction, and processor can
To be configured to the scheduled computer instruction stored in run memory to execute the place according to Fig. 1 into embodiment illustrated in fig. 5
Reason process.
It is apparent to those skilled in the art that for convenience and simplicity of description, the data of foregoing description
The electronic equipment that processing method is applied to, can be with reference to the corresponding description in before-mentioned products embodiment, and details are not described herein.
Above embodiments are only the exemplary embodiment of the application, are not used in limitation the application, the protection scope of the application
It is defined by the claims.Those skilled in the art can make respectively the application in the essence and protection scope of the application
Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as falling within the scope of protection of this application.
Claims (11)
1. a kind of cut-in method is applied to access side, this method comprises:
It is selected by access side according to user's operation after receiving access request by the first application, it is reset from the first application
To the extremely login interface by access side, so that user inputs user login information in the login interface by access side;
User data ciphertext is received from by access side by the first application, the user data ciphertext is by the side of access to user
After log-on message is verified, based on engagement arithmetic and using being handled by access side's private key target user data to obtain
One verification data simultaneously verify what data were encrypted to target user data and first;
Target user data and the first verification data are obtained from the user data ciphertext based on access side's private key, using being accessed
Square public key verifies the first verification data, and login of the user to the first application is completed after verification passes through.
2. the method as described in claim 1, which is characterized in that the first verification data are digital signature, then use by access side
Public key verifies the first verification data, comprising:
Based on target user data and use verifies data to first by access side's public key and carries out sign test.
3. the method as described in claim 1, which is characterized in that the first verification data are digital signature, then use by access side
Public key verifies the first verification data, comprising:
Predetermined portions and use based on target user data carry out sign test to the first verification data by access side's public key.
4. method as claimed in any one of claims 1-3, which is characterized in that be based on access side's private key from the user data
Ciphertext obtains target user data and the first verification data, comprising:
The user data ciphertext is decrypted using access side's private key to obtain target user data and the first verification data.
5. method as claimed in any one of claims 1-3, which is characterized in that the user data ciphertext includes the first ciphertext
With the second ciphertext, wherein obtain target user data and the first check number from the user data ciphertext based on access side's private key
According to, comprising:
The second ciphertext is decrypted to obtain random key using access side's private key;
The first ciphertext is decrypted using random key to obtain target user data and the first verification data.
6. method according to any one of claims 1 to 5, which is characterized in that target user data is by following data
Obtained from being assembled: access side is by unique application identities of access side and by being distributed to by access policy to access side
The unique subscriber identification of user;Or unique application identities, unique subscriber identification and User Data Protocol version, operation information generation
At least one of code, timestamp these three data.
7. method according to any one of claims 1 to 5, which is characterized in that further include:
The redirection interface IP address for being used to receive user data ciphertext is sent to described by access side.
8. method according to any one of claims 1 to 5, which is characterized in that complete user after verification passes through and answer first
Login, comprising:
Unique identification is generated in access side for user, by target user data storage corresponding with the unique identification.
9. a kind of access system, including server-side and the first application for being mounted on terminal device, in which:
First application include:
User interface is configured to receive access request, and selected by access side according to user's operation, from the first application weight
It is directed to the login interface by access side, so that user logs in letter by the login interface input user of access side described
Breath;
Interface is redirected, is configured to receive user data ciphertext from by access side, the user data ciphertext is by the side of access
After being verified to user login information, based on engagement arithmetic and use by access side's private key to target user data at
Reason obtains the first verification data and verifies what data were encrypted to target user data and first;
Server-side includes:
Communication unit is configured to receive user data ciphertext from the first application;
Processing unit is configured to the side's of access private key from the user data ciphertext and obtains target user data and the first school
Data are tested, the first verification data are verified using by access side's public key, user is completed after verification passes through and is applied to first
Login.
10. a kind of access system, including by access side's server, access side's server and being mounted on the first of terminal device and answering
With, in which:
First application include:
User interface is configured to receive access request, and selected by access side according to user's operation, from the first application weight
It is directed to the login interface by access side, so that user logs in letter by the login interface input user of access side described
Breath;
Interface is redirected, is configured to receive user data ciphertext from by access side;
It is described to include: by access side's server
First communication unit is configured to receive the user login information, and sends the user data ciphertext;
First processing units are configured to verify the user login information, and after being verified, and are calculated based on agreement
Method is simultaneously handled to obtain the first verification data to target user data using by access side's private key, and to target user data and
First verification data are encrypted to obtain the user data ciphertext;
Access side's server includes:
Second communication unit is configured to receive user data ciphertext from the first application;
The second processing unit is configured to the side's of access private key from the user data ciphertext and obtains target user data and
One verification data verify the first verification data using by access side's public key, user are completed after verification passes through to first
The login of application.
11. a kind of access server comprising processor, the processor are configured to run scheduled computer instruction to execute
Such as method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257945.4A CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257945.4A CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109981666A true CN109981666A (en) | 2019-07-05 |
| CN109981666B CN109981666B (en) | 2020-08-04 |
Family
ID=67082185
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910257945.4A Active CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109981666B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949566A (en) * | 2021-10-15 | 2022-01-18 | 工银科技有限公司 | Resource access method, device, electronic equipment and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924635A (en) * | 2010-08-04 | 2010-12-22 | 吴晓军 | Method and device for user identity authentication |
| CN103023646A (en) * | 2012-11-26 | 2013-04-03 | 韩益亮 | Signcryption method capable of gathering signcryption texts |
| CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
| CN104580264A (en) * | 2015-02-13 | 2015-04-29 | 人民网股份有限公司 | Login method, registration method and login device as well as login and refrigeration system |
| US20160078251A1 (en) * | 2014-09-16 | 2016-03-17 | Freescale Semiconductor, Inc. | Key storage and revocation in a secure memory system |
| US9547778B1 (en) * | 2014-09-26 | 2017-01-17 | Apple Inc. | Secure public key acceleration |
| CN106792665A (en) * | 2016-12-19 | 2017-05-31 | 华东师范大学 | Wireless sensor network security small data distribution method based on short and small public-key cryptosystem |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
| CN108599950A (en) * | 2018-04-09 | 2018-09-28 | 北京无字天书科技有限公司 | The implementation method of security protocol is downloaded in a kind of user key application suitable for SM9 id passwords |
-
2019
- 2019-04-01 CN CN201910257945.4A patent/CN109981666B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924635A (en) * | 2010-08-04 | 2010-12-22 | 吴晓军 | Method and device for user identity authentication |
| CN103023646A (en) * | 2012-11-26 | 2013-04-03 | 韩益亮 | Signcryption method capable of gathering signcryption texts |
| CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
| US20160078251A1 (en) * | 2014-09-16 | 2016-03-17 | Freescale Semiconductor, Inc. | Key storage and revocation in a secure memory system |
| US9547778B1 (en) * | 2014-09-26 | 2017-01-17 | Apple Inc. | Secure public key acceleration |
| CN104580264A (en) * | 2015-02-13 | 2015-04-29 | 人民网股份有限公司 | Login method, registration method and login device as well as login and refrigeration system |
| CN106792665A (en) * | 2016-12-19 | 2017-05-31 | 华东师范大学 | Wireless sensor network security small data distribution method based on short and small public-key cryptosystem |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
| CN108599950A (en) * | 2018-04-09 | 2018-09-28 | 北京无字天书科技有限公司 | The implementation method of security protocol is downloaded in a kind of user key application suitable for SM9 id passwords |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949566A (en) * | 2021-10-15 | 2022-01-18 | 工银科技有限公司 | Resource access method, device, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109981666B (en) | 2020-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10904234B2 (en) | Systems and methods of device based customer authentication and authorization | |
| AU2005318933B2 (en) | Authentication device and/or method | |
| CA2591968C (en) | Authentication device and/or method | |
| CN105007280B (en) | A kind of application login method and device | |
| CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
| WO2017028804A1 (en) | Web real-time communication platform authentication and access method and device | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| CN109618341A (en) | A kind of digital signature authentication method, system, device and storage medium | |
| CN102404314A (en) | Remote resources single-point sign on | |
| CN101160787A (en) | Method, apparatus and data download system for controlling the validity of the download transaction | |
| CN109981665B (en) | Resource providing method and device, and resource access method, device and system | |
| KR20220086580A (en) | Non-custodial tool for building decentralized computer applications | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN108011717A (en) | A kind of method, apparatus and system for asking user data | |
| CN108600234A (en) | A kind of auth method, device and mobile terminal | |
| CN114257430A (en) | Single sign-on system | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN109257381A (en) | A kind of key management method, system and electronic equipment | |
| CN109981666A (en) | A kind of cut-in method, access system and access server | |
| KR20210103615A (en) | Blockchain-based user authentication model | |
| TWI546698B (en) | Login system based on servers, login authentication server, and authentication method thereof | |
| CN110602218A (en) | Method and related device for assembling cloud service in user-defined manner |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 124, 1 / F, building 2, yard 9, jiaogezhuang street, Nanfaxin Town, Shunyi District, Beijing Patentee after: Beijing Wikipedia Technology Co.,Ltd. Address before: 102200 No. 1, 120, Area C, 23 Qianqian Road, Changping Science and Technology Park, Beijing Patentee before: Beijing Wikipedia Technology Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |